Add support for SHA256 verification, and use it first
If not available, fall back to MD5. If that succeeds, say so but warn
that it's not considered secure.
Simplified the new code - back to single verifyImage() method which
knows about both checksum types.
Old code used to assume that the last entry in the template chain was
an ImageInfo, so would just use .back() to read that. Now we run
through the chain twice, first for SHA256 and then for MD5. That will
be slower, but the difference will be lost in the noise compared to
the cost of actually checksumming the image.